Merge pull request #17878 from Homebrew/ww/mirrored-bottle-attestations

Homebrew · Jul 26, 2024 · 0b2a74d · 0b2a74d
2 parents 7522ed3 + 6e2975d
commit 0b2a74d
Showing 1 changed file with 12 additions and 2 deletions.
diff --git a/Library/Homebrew/attestation.rb b/Library/Homebrew/attestation.rb
@@ -188,7 +188,7 @@ def self.check_attestation(bottle, signing_repo, signing_workflow = nil, subject
  end
  end
 
- raise InvalidAttestationError, "no attestation matches subject" if attestation.blank?
+ raise InvalidAttestationError, "no attestation matches subject: #{subject}" if attestation.blank?
 
  attestation
  end
@@ -227,7 +227,17 @@ def self.check_core_attestation(bottle)
  # This was originally unintentional, but has a virtuous side effect of further
  # limiting domain separation on the backfilled signatures (by committing them to
  # their original bottle URLs).
- url_sha256 = Digest::SHA256.hexdigest(bottle.url)
+ url_sha256 = if EnvConfig.bottle_domain == HOMEBREW_BOTTLE_DEFAULT_DOMAIN
+ Digest::SHA256.hexdigest(bottle.url)
+ else
+ # If our bottle is coming from a mirror, we need to recompute the expected
+ # non-mirror URL to make the hash match.
+ path, = Utils::Bottles.path_resolved_basename HOMEBREW_BOTTLE_DEFAULT_DOMAIN, bottle.name,
+ bottle.resource.checksum, bottle.filename
+ url = "#{HOMEBREW_BOTTLE_DEFAULT_DOMAIN}/#{path}"
+
+ Digest::SHA256.hexdigest(url)
+ end
  subject = "#{url_sha256}--#{bottle.filename}"
 
  # We don't pass in a signing workflow for backfill signatures because